logo
Ask your WordPress questions! Pay money and get answers fast! (more info)

Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

If the asker does not get an answer then they have 10 days to request a refund.

$15
Wordpress Security

Hello I am pitching to build a wordpress site for a big client, I am capable in wordpress design and build, however I have always overlooked security thinking that the built in functions would be enough.

One of the questions my client has raised is:
Wordpress has a number of security issues. It is notoriously vulnerable to SQL injection attacks for example and the open source nature of Wordpress makes it relatively easy to gain unauthorized access to files. We would therefore like the site protected with security plugins such as Better WP Security.


I would like to know how you would protect a site, how and why?
Please let me know any plugins or custom edits you would do.

Thank you

This question has been answered.

Ross Gosling | 01/18/13 at 12:56pm Edit
Tutorial: How to assign prize money


(3) Responses

See a threaded view of answers?

Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

  • avatar
    Last edited:
    01/18/13
    4:40pm
    Dbranes says:

    Wordpress has a number of security issues. It is notoriously vulnerable to SQL injection attacks for example and the open source nature of Wordpress makes it relatively easy to gain unauthorized access to files.


    I don't agree if they mean the Wordpress core, it's well maintained, tested by millions and security patches are shipped out fast.

    Here are some ideas for both wordpress and other cms:

    - rule 1: always assume your site (wordpress or not) will be hacked, then you must have a recovery plan ;-)

    - use the latest cms version

    - use only quality hosting

    - use htpasswd on the backend (wp-admin/* and wp-login.php)

    - consider cloudflare.com to block threats and limit abusive bots

    - don't use ftp

    - use only "well tested" plugins/extensions

    - consider the security plugins (like BWS for wordpress)

    - don't forget the backups

    Hope this helps

    Previous versions of this answer: 01/18/13 at 4:40pm

  • avatar
    Last edited:
    01/18/13
    5:21pm
    plovs says:

    WordPress is a lot more secure the your clients remark, if we compare the number of installs and the number of exploits then the chance that you will get hacked is small. The list mentioned above covers 99% of the use-cases. Main points:

    - stay up-to-date
    - move wp-config.php
    - don't use wp_
    - don't use admin
    - good unique passwords
    - use good plugins
    - reduce the rights of your users as low as possible, do they have to be admin?

    If you run into trouble it will be because your install is out-of-date, has funky plugins (tim-thumb), your users use: admin:password, or tell somebody their password.

    Some good links for further research:

    - http://codex.wordpress.org/Hardening_WordPress (Must read, like the whole of the Codex)
    - http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/ (What kind of malware are we most likely to meet)
    - http://blog.softlayer.com/2012/tips-and-tricks-how-to-secure-wordpress/ simple security measures
    - http://www.wpmayor.com/plugin-reviews/top-10-essential-wordpress-security-plug-ins/ excellent list of plugins to test

    Bonus: be as up-to-date as is possible without puling WordPress from SVN:

    - http://wordpress.org/extend/plugins/hotfix/

    Previous versions of this answer: 01/18/13 at 5:21pm

  • avatar
    Last edited:
    01/20/13
    5:02pm
    phppoet says:

    I completely disagree with your clients remarks. He may have a bad experience of open source scripts with sql injections but that does not make popular open source cms more vulnerable for sql injection and other security related issues. On contrary Active communities developed CMS always finds quick ways against latest vulnerablity.

    as per my opinion wordpress is most secure among all open source scripts i have experienced.

This question has expired.



Ross Gosling voted on this question.



Current status of this question: Completed



Please log in to add additional discourse to this page.





Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

If the asker does not get an answer then they have 10 days to request a refund.